Site-to-Site IPSec with certificate chain help

Hi, Im wonering if you can help me. Im currently x509 certification with Site-to-site IPSec tunnels. I’ve been following this guide:

Eveything works great if I use R1 as the CA. It continues to work fine if I use a 3rd router as the CA to generate certs for R1 and R2. What I can’t get working is adding an intermediary to generate the router certs.

The tunnels consistently fail to build with the log error message of no trusted RSA public key found for …

Has anyone had experence of buiding site-to-site tunnels using certificate chains as I’m probaly missing something simple.


Created a task for this:

1 Like

Thanks for raising this. It alligns with my findings.

If anyone else is having the problem the workaround I have found is to create additional ‘fake peers’. By referencing the missing certificates in these fake peers and setting them to connection-type: none the certificates get added to the correct folder without creating any failed IPSec connections. The certificates then persist after a reboot.

1 Like